the people frrm ubuntu pointed me to this bug. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663127
enabling ssl3 in the server with this orders served as a workaround: ldapmodify -D "cn=directory manager" -W -p 389 -h localhost -x dn: cn=encryption,cn=config changetype: modify replace: nsSSL3 nsSSL3: on exitbut the client doesn't join completly the domain because in the system there is no system wide nss database:
New SSSD config will be created. root : INFO New SSSD config will be created Configured /etc/sssd/sssd.confroot : DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt
root : DEBUG stdout=root : DEBUG stderr=certutil: function failed: security library: bad database.
Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 1292, in <module> sys.exit(main()) File "/usr/sbin/ipa-client-install", line 1279, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 1124, in installrun(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", "/etc/ipa/ca.crt"]) File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 273, in run
raise CalledProcessError(p.returncode, args)subprocess.CalledProcessError: Command '/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt' returned non-zero exit status 255
pasqual@ubuntuprovesfreeipa:~$ It can create it with this commands: mkdir -p /etc/pki/nssdb certutil -N -d /etc/pki/nssdbbut asks for a password. there are some obscure references about using a password file called pwdfile.txt that resides in the server but I'm not sure with what to do now. perhaps the password must be blank. any idea?
thanks Al 11/05/12 16:40, En/na pasqual milvaques ha escrit:
I'have download and compiled some versions of gnutls and this is the result:gnutls-2.8.5: works gnutls-2.12.19: fail gnutls-3.0.19: failthis must affect distributions in which ldaps connections are based in gnutls (I only know debian and ubuntu).the problem can be tested with this command: gnutls-cli -d 4 -p 636 freeipaserver.linux.gva.esin you have a problematic gnutls version the command would end with these lines:... |<3>| HSK[0x9bb40d0]: CLIENT HELLO was sent [151 bytes] |<4>| REC[0x9bb40d0]: Sending Packet[0] Handshake(22) with length: 151 |<4>| REC[0x9bb40d0]: Sent Packet[1] Handshake(22) with length: 156 |<2>| ASSERT: gnutls_buffers.c:640 |<2>| ASSERT: gnutls_record.c:969 |<2>| ASSERT: gnutls_handshake.c:2762 *** Fatal error: A TLS packet with unexpected length was received. |<4>| REC: Sending Alert[2|22] - Record overflow |<4>| REC[0x9bb40d0]: Sending Packet[1] Alert(21) with length: 2 |<4>| REC[0x9bb40d0]: Sent Packet[2] Alert(21) with length: 7 *** Handshake has failed GnuTLS error: A TLS packet with unexpected length was received. |<4>| REC[0x9bb40d0]: Epoch #0 freed |<4>| REC[0x9bb40d0]: Epoch #1 freed pasqual@ubuntuprovesfreeipa:~/gnutls-2.12.19$ any idea in how to make this work? Al 11/05/12 13:16, En/na pasqual milvaques ha escrit:I'm trying to join an ubuntu 12.04 machine to freeipa domain installed in a centos 6.2 machine and it seems there is some problem with the tls negotiacion. ubuntu 12.04 uses gnutls instead of openssl so the problem could be there but I don't know how to solve it. with the ldapsearch command I can also reproduce the failI have opened this ubuntu bug as freeipa now has a native client package: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/997990any idea? this is the log of the operation:pasqual@ubuntuprovesfreeipa:~$ sudo ipa-client-install -d --enable-dns-updates[sudo] password for pasqual:root : DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': None, 'permit': False, 'server': None, 'prompt_password': False, 'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False, 'debug': True, 'on_master': False, 'ntp_server': None, 'realm_name': None, 'unattended': None, 'principal': None}root : DEBUG missing options might be asked for interactively laterroot : DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' root : DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'root : DEBUG [ipadnssearchldap(linux.gva.es)] root : DEBUG [ipadnssearchldap(gva.es)] root : DEBUG [ipadnssearchldap(es)] root : DEBUG [ipadnssearchldap(linux.gva.es)] root : DEBUG [ipadnssearchldap(gva.es)] root : DEBUG [ipadnssearchldap(es)] root : DEBUG Domain not found DNS discovery failed to determine your DNS domainProvide the domain name of your IPA server (ex: example.com): linux.gva.esroot : DEBUG will use domain: linux.gva.es root : DEBUG [ipadnssearchldap] root : DEBUG IPA Server not found DNS discovery failed to find the IPA ServerProvide your IPA server name (ex: ipa.example.com): freeipaserver.linux.gva.esroot : DEBUG will use server: freeipaserver.linux.gva.es root : DEBUG [ipadnssearchkrb] root : DEBUG [ipacheckldap]root : DEBUG args=/usr/bin/wget -O /tmp/tmpWptXwb/ca.crt -T 15 -t 2 http://freeipaserver.linux.gva.es/ipa/config/ca.crtroot : DEBUG stdout=root : DEBUG stderr=--2012-05-11 12:06:09-- http://freeipaserver.linux.gva.es/ipa/config/ca.crt Resolent freeipaserver.linux.gva.es (freeipaserver.linux.gva.es)... 192.168.222.99 S'està connectant a freeipaserver.linux.gva.es (freeipaserver.linux.gva.es)|192.168.222.99|:80... conectat.HTTP: Petició enviada, esperant resposta... 200 OK Longitud: 1325 (1.3K) [application/x-x509-ca-cert] S'està desant a: «/tmp/tmpWptXwb/ca.crt» 0K . 100% 38.4M=0s2012-05-11 12:06:09 (38.4 MB/s) - s'ha desat «/tmp/tmpWptXwb/ca.crt» [1325/1325]root : DEBUG Init ldap with: ldap://freeipaserver.linux.gva.es:389root : ERROR LDAP Error: Connect error: A TLS packet with unexpected length was received.Failed to verify that freeipaserver.linux.gva.es is an IPA Server. This may mean that the remote server is not up or is not reachable due to network or firewall settings. Installation failed. Rolling back changes. IPA client is not configured on this system. pasqual@ubuntuprovesfreeipa:~$ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
<<attachment: milvaques_pas.vcf>>
smime.p7s
Description: Signatura criptogràfica S/MIME
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users